Secure Access to CodeSync
Fast, GDPR-compliant package infrastructure engineered for Germany.
Manage API keys, configure OAuth flows, and enforce least-privilege access across your deployment pipeline. CodeSync requires authenticated requests for all write operations and rate-limited read endpoints.
Supported Authentication Methods
CodeSync supports two primary authentication mechanisms designed for high-throughput package registries and automated CI/CD runners.
API Keys
Generate scoped tokens via the developer dashboard. Keys are valid for 90 days by default and support granular permissions like registry:read, registry:publish, and npm:scope:write. Ideal for automated pipelines, CLI tools, and Jenkins/GitLab CI runners.
OAuth 2.0
Integrate with GitHub, GitLab, or your enterprise identity provider. CodeSync handles token rotation and scope mapping automatically. Supports PKCE for public clients and refresh token rotation for long-lived sessions across distributed teams.
Lifecycle Management
Treat every credential as ephemeral. Use the dashboard or the codesync-cli key commands to rotate, audit, and revoke access without pipeline downtime.
When you create a key, specify its expiration window and allowed CIDR ranges. Keys prefixed with csy_prod_ are restricted to production environments, while csy_dev_ tokens automatically inherit sandbox limits and reduced rate caps. You can export key metadata as JSON for quarterly compliance audits. The system enforces a maximum of 12 active keys per user, with automatic deprecation notices sent 14 days before expiration.
Hardening Your Integration
Follow these operational standards to maintain zero-trust compliance across your package supply chain.
Never embed long-lived credentials in repository root files or Docker images. Use environment variable injection with CODESYNC_AUTH_TOKEN in your CI runners. Enable audit logging in the organization settings to track token:created, token:used, and scope:escalated events. For multi-tenant deployments, isolate project scopes using namespace prefixes like @acme-corp/internal and restrict cross-namespace publishing. Rotate keys quarterly and monitor the /v1/auth/health endpoint for anomaly detection and failed login thresholds.